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Abstract 



In recent years, chaotic attractors have been extensively used in the design of secure 
communication systems. One of the preferred ways of transmitting the information 
signal is binary chaotic modulation, in which a binary message modulates a pa- 
<^ • rameter of the chaotic generator. This paper presents a method of attack based on 

Q^ . estimating the short-time period of the ciphertext generated from the modulated 

^!^ \ chaotic attractor. By calculating and then filtering the short-time period of the 

\^ ■ transmitted signal it is possible to obtain the binary information signal with great 

CP ■ accuracy without any knowledge of the parameters of the underlying chaotic sys- 

tem. This method is successfully applied to various secure communication systems 
proposed in the literature based on different chaotic attractors. 



^ ' Key words: Chaotic cryptosystems, Chaotic attractors, Cryptanalysis, Short-time 

K^ ■ period, Lorenz, Chua, Rossler 

'O ; PACS: 05.45.Vx, 47.52.+J. 



1 Introduction 



During the last decade, there have been many proposals to apply non-linear 
dynamical systems to cryptography and secure communications under the 
assumption that chaotic orbits resemble random-number generators and might 
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mask information signals [1,2,3]. There exist two main approaches to chaotic 
ciphers design: analog and digital. The first one is based on the concept of 
chaotic synchronization, first shown by Pecora and Carrol [4]. In these systems, 
the information can be transmitted by the chaotic signal in a number of ways, 
including, but not limited to, chaotic masking [5,6,7,8,9], in which the analog 
message signal i{t) is added to the output of the chaotic generator x{t) in the 
transmitter; chaotic switching or chaos shift keying (CSK) [10,11], in which 
a binary message signal is used to choose between two statistically similar 
chaotic attractors; chaotic modulation (CM) [12,13,14,15,16,17,18], in which 
a message, most frequently in binary form, modulates a parameter of the 
chaotic generator; or inverse system approach (ISA), in which the receiver 
system runs in an exactly inverse way of the transmitter system to exactly 
recover the message [19,20]. Regardless of the method used to transmit the 
message signal, the receiver has to synchronize with the transmitter's chaotic 
generator to regenerate the chaotic signal x{t) and thus recover the message 



Chaotic modulation has been repeatedly used as an information concealing 
method throughout the years until very recently [12,13,15,16,17,18]. In the 
literature, when a binary digital signal is to be encrypted by this means, one 
of the state variables of the modulated chaotic system is commonly taken as 
the transmitted encrypted message. The key of the cryptosystem is composed 
by the unknown internal parameters of the chaotic system. Thus, the only 
information available to the attacker is the instantaneous value of the trans- 
mitted state variable. In [21] it is pointed out that most widely-used chaotic 
attractors in secure communication systems exhibit an inherent frequency de- 
pendent on the system parameters. As a result, it is reasonable to assume that 
the period of chaotic signals generated using different sets of parameters must 
be different. This letter shows that this assumption proves to be true, even for 
small variations of the parameters, and for different types of synchronization 
and parameter modulation. A method based on short-time period estimation 
is described to detect these slight variations in period to be able to discern 
between different attractors and thus between different values of the binary 
information signal. The method works for different chaotic attractors, different 
synchronization, and different modulation techniques. 



The rest of this letter is organized as follows. In Sec. 2, the method used to 
compute the short-time period is explained. In Sec. 3, some examples of how 
the method works are given. The examples use different modulation techniques 
to encrypt the message signal. In Sec. 4, our method is compared against 
other cryptanalytic methods frequently found in the literature. Finally, Sec. 5 
concludes the letter. 



2 Measuring the short-time period 



In this section the method followed to calculate the short-time period of a 
chaotic scalar signal is explained. It is assumed the use of 3-D chaotic attrac- 
tors, given as an autonomous continuous dynamical system x = f(x). Two 
trajectories x(t) and x'(t) are said to completely synchronize if: 



lim |x(t) -x'(t)| =0. (1) 



For robust synchronization to be maintained, it is required that all conditional 
Lyapunov exponents (CLE) of the response subsystem are negative [4]. 

As is well known, chaotic signals present some properties as sensitive depen- 
dence on parameters and initial conditions, ergodicity, mixing, and dense pe- 
riodic points. These properties make them similar to pseudorandom noise. As 
a result, this apparent randomness has motivated their use in secure commu- 
nication applications. The most widely-used chaotic signal generators in this 
context are based on the double-scroll Lorenz and Chua attractors, and on 
the single-scroll Rossler attractor. As studied in [21], these chaotic attractors 
exhibit an inherent frequency uniquely determined by their system parame- 
ters. When present, this frequency can be measured over long-time periods. 
However, in this work we are interested in knowing the fast fluctuations in 
the frequency in short term in an effort to estimate the attractor's instanta- 
neous frequency. We try to measure the short-time period as a function of time 
to unmask the binary modulating signal. If the signal is periodic or nearly- 
periodic, calculating the short-time zero-crossing rate (STZCR) or a short 
Discrete Fourier Transform (DFT) would be enough, but chaotic signals are 
essentially aperiodic. Nevertheless, along the trajectory followed by an initial 
point in these attractors there are regions where the movement is very close to 
periodic, thus allowing for a very accurate estimation of the short-time period. 
The peculiarities of different chaotic signals require the customization of the 
method for the three different types of attractors under consideration. Once 
a sufficiently stable region is found as described in the next section, then it is 
possible to compute the short-time period following the procedure described 
below. 

In parameter modulation based chaotic secure communication systems, one 
parameter of the attractor is changed according to the binary value of the 
information signal i{t) regardless of the synchronization method. Usually one 
state variable of the attractor, Xi{t), is used to convey the concealed infor- 
mation signal. This state variable is the only information available to the 
attacker. Let us note that the orbit followed by an initial condition is gen- 
erally non-uniform. However, if a 2-D projection of the chaotic attractor is 
used, it will be observed that there is always a region in which the average 



rotation angular speed is almost constant, i.e., the elapsed time for each visit 
to this region is almost constant. The part of the signal corresponding to this 
nearly-periodic region is used to make the measure as accurate as possible. 
Thus, instead of measuring the whole period, which may lead to inaccurate 
results, only a fraction of the period is measured, corresponding to the elapsed 
time within the nearly-periodic region in each rotation. Let us note that this 
method tries to spot variations in the short-time period and is not concerned 
with measuring its exact value. Next, a new time signal p{t) is created, by 
assigning this measured value to p{t) for the duration of the whole rotation 
period of Xj(t). Once p{t) has been created, its DC component is removed 
by subtracting its mean value. The new signal is p*{t). Last, an appropriate 
moving averaging filter with a Hanning window to smooth up the result is 
used on p*(t). As will be seen, the resulting filtered signal, fp*(t), suffices to 
detect the plaintext, although a Schmitt-Trigger with adequate switch-on and 
switch-off levels might be used to obtain the final recovered signal, i*{t). 

In the next section, several examples are given where the above process is 
further explained and successfully applied to the cryptanalysis of different 
types of chaotic modulation based secure communication systems. 



3 Examples 



In this section the performance of the short-time period estimation method 
is analyzed when applied to different secure communication systems proposed 
in past and recent literature, including the classical parameter modulation 
method, a phase synchronization method, and an adaptive observer-based 
chaos synchronization method. We believe such a cryptanalysis method can 
be further generalized to break other secure communication systems. 



3. 1 Classical parameter modulation method 



The first implementation of parameter modulation [12] uses the well-known 
double-scroll Lorenz attractor [22] as the chaotic signal generator. The trans- 
mitter end is represented by: 



Xi = a{x2 - xi), 

X2 = rxi - X2 - ajixs, (2) 

xg = xi^s - b{i{t))x3, 

where a, r, and b are the internal system parameters. Furthermore, i{t) is a 
binary information signal controlling the parameter b to be one of two different 



values 60 and bi. At the receiver end, an identical system is used by tuning 
the parameter b to be bo (or bi). When the receiver subsystem synchronizes 
with the transmitted signal in the sense described by Eq. (1), it is known that 
bo (or bi) was used at the transmitter end; when it does not synchronize, the 
other value is assumed. In such a way, the binary message i{t) is decrypted 
from b = bo OT bi at each given time t. 

When the Lorenz attractor is used, usually either Xi{t) or X2{t) is transmitted 
as ciphertext. In [12], xi{t) is used (see Fig. 2.b), a = 16.0, r = 45.6, and 
the modulated parameter is b, taking values 6 = 4 or 4.4 for the binary signal 
equal to i{t) = or i{t) = 1, respectively. The message signal i{t) is plotted 
in Fig. 2. a. 

The Lorenz chaotic signal must be first correctly conditioned before computing 
its short-time period. As can be observed in Fig. l.a, the orbit followed by an 
arbitrary initial point spirals around the two scrolls, jumping from one scroll 
to the other in a chaotic manner. The work with this attractor is simplified if 
its absolute value is taken: yi(t) = \xi(t)\, i = {1,2}. This operation folds the 
attractor back on itself due to its symmetry with respect to Xi = and X2 = 0, 
in such a way that the trajectories spiral around one merged scroll in the 
same rotation direction, as observed in Fig. l.b. As discussed in the previous 
section, to obtain the maximum accuracy in the estimations, the rotation 
duration is measured on the region where the average rotation angular speed 
is almost constant. This region, plotted in Fig. l.b, can be easily computed 
as the region to the right of the middle value of the maximum value of yi{t). 
In the example, the period is computed as the elapsed time during which 
max(|/i)/2 < yi(t) < max(|/i) holds. 

The rest of the process of measuring the short-time period value is quite similar 
to the one outhned in the previous section, but proceeding with yi(t) instead. 
Following this process, plotted in Figs. 2.c-f, the original message signal is 
recovered with great accuracy. A Schmitt-Trigger with switch-on level of 
and switch-off level of —20 was used. The recovered signal i*{t) is slightly 
delayed with respect to the original i{t) due to the delay introduced by the 
filter and can be easily removed if desired. 

It must be added that this method of parameter modulation has been known 
to be insecure many years before [23,24,25,26]. 



3.2 Phase synchronization method 



Most secure chaotic communication systems are based on complete synchro- 
nization in the sense of Eq. (1), whereas new cryptosystems have been pro- 
posed based on phase synchronization [18]. This scheme hides binary messages 



in the instantaneous phase of the drive subsystem used as the transmitting 
signal to drive the response subsystem. At the receiver, the phase difference 
is detected and its strong fluctuation above or below zero allows the plaintext 
recovering at certain coupling strength. The secure communication process is 
illustrated in [f8] by means of an example based on coupled Rossler chaotic 
oscillators. In the example, the drive subsystem is formed by two weakly- 
coupled oscillators. The plaintext is used to modulate the same parameter in 
both oscillators 1 and 2. The equations of the drive subsystem are: 

ii,2 = -(c^ + ^^)yi,2 - ^1,2 + £^(a;2,i - a;i,2), 

yi,2 = iuj + Auj)Xi^2 + "1/1,2, (3) 

ii,2 = 0.2 + 2;i,2(a;i,2-10). 
The response subsystem is governed by: 

Xs = -uj'y3 - Z3 + r]{{xl + ylf''^cos(f)m - x^), 

y3 = uj'x3 + a'y3, (4) 

i3=0.2 + Z3(x3-10). 

In the example, the parameter values are: uj = uj' = l,e = 5x 10^^, rj = 5.3, 
and a = a' = 0.15 . The parameter u corresponds to the natural frequency 
of the Rossler oscillator drive subsystems 1 and 2. The parameter u ' corre- 
sponds to the natural frequency of the Rossler oscillator driven subsystem 3, e 
corresponds to the weak coupling factor between the oscillators 1 and 2, and 77 
corresponds to the strong coupling factor between the 2 driven oscillators and 
the response oscillator 3. The parameter mismatch Auj is modulated by the 
plaintext, being Au = 0.01 if the bit to be transmitted is "1" and Auj = —0.01 
if the bit to be transmitted is "0" . 

The ciphertext consists of the phase of the mean field of the drive oscillators: 
(f)rn = arctan , (5) 

yi + y2 

where arctan is the arctangent function of the argument, from — vr to vr. 

The signal available to the attacker is (/)m{t), the instantaneous phase. In the 
following, without loss of generality, only 0i(t) = arctan(a;i/|/i) is considered 
to qualitatively illustrate the behavior of the Rossler attractor. In Fig. 3. a it 
is observed that for xi{t) < 0, the rotation angular speed is approximately 
constant, i.e., the phase increases almost linearly. However, depending on the 
system parameters chosen, the phase can change abruptly in the first quadrant 
when < 0i(t) < 7r/2. Thus, this is the part of the signal to be avoided 
to compute the short-time period. Although this cryptosystem was already 



broken by an economic brute-force attack in [27], Fig. 4 shows the results 
obtained after applying a more elegant and straightforward avenue of attack 
using the cryptanalysis described in this letter. In the example analyzed, the 
signal conditioning is hmited to considering 7r/2 < |0m(^)| < tt to compute 
p{t). In this case, it is not necessary to filter p*{t) because each bit of the 
plain-signal corresponds exactly to one short-time period of p*{t). Thus, by 
simply rescaling p*{t) a perfect estimation of i{t) is obtained. Again, the time 
delay can be removed if desired. 



3.3 Adaptive observer-based chaos synchronization 



In [17], the author proposes a symmetric secure communication system based 
on parameter modulation of a chaotic oscillator acting as a transmitter. The 
receiver is a chaotic system synchronized by means of an adaptive observer. 
Two sample implementations are given: one with the Lorenz attractor and 
another with Chua attractor. In this letter the latter will be broken, to illus- 
trate how our method works with a different double-scroll attractor. It works 
equally well for Lorenz, though. 

Chua's circuit dynamics can be described by the following equations: 



xi =a{-xi +X2) - fi{xi), 
a^2 = a;i - X2 + xs, 
Xs = -13x2. 



(6) 



where fi{x) = bx + 0.5(a — b){\x + 1| — \x — 1|). In the example the 
system is implemented with the following parameter values, (a, /9, a, b) = 
(10, 18, —4/3, —3/4). The signal used for synchronization of the receiver is 
Xi. The encryption process is defined by modulating the parameter (3 with the 
binary encoded plaintext, so that it is /? -(- 1.25 if the plaintext bit is "1" and 
f3 — 1.25 if the plaintext bit is "0". The duration of the plaintext bits must 
be much larger than the convergence time of the adaption law. The uncertain 
system can be rewritten in a compact form as: 
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(9) 



9 = Ap = ±1.25. (10) 



The transmitted ciphertext is the signal x^it). 

Again, we are deahng with a double-scroll attractor. In contrast to the Lorenz 
attractor, the trajectory followed by an arbitrary initial point in the Chua 
attractor is uniform enough to allow the direct estimation of the (whole) short- 
time period from the transmitted signal Xs{t). 

After applying this method to x^lt), as shown in Figs. 5.c-f, the original mes- 
sage signal is recovered with great accuracy. A Schmitt-Trigger with switch-on 
and switch-off levels of 10 and respectively was used. The recovered signal 
i*{t) is slightly delayed with respect to the original i{t) due to the delay in- 
troduced by the filter and can be easily removed if desired. 



4 Comparison with other attack methods 



Throughout the years, different methods have been proposed to attack chaos- 
based secure communication systems. In this section, the performance of the 
short-time period estimation method is compared against the most relevant. 

The return-map method was initially devised by [28] and further developed 
by [24] . Given one of the variables in the chaotic system, one or more proper 
return maps can be constructed allowing for a partial reconstruction of the 
dynamics. By analyzing the evolution of the signal on the attracting sets 
of those maps, the message can be extracted under certain conditions. These 
attacks can be performed without the knowledge of the precise structure of the 
chaotic system in use. This method not only decrypts ciphertexts encrypted 
using chaotic modulation, but also using chaotic masking. However, it does 
not work for phase synchronization cryptosystems. There are some improved 
cryptosystems [29] which avoid the return map attack by modulating the 
transmitted signal with an appropriately chosen scalar signal. Our method 
was checked against this improved method. The results show that it is still 
able to directly recover the correct signal, and also can be used to identify and 
remove the modulating signal, thus rendering the return-map attack again 
possible. 

In [23], the short-time zero-crossing rate (STZCR) of the differential of the 
transmitted signal is used to recover the information digital signal. This 
method presents the limitation of only working on single-scroll Chua's circuits 
proposed in [10], while this letter generalizes this method so that can be used 
on different chaotic attractors, including the three most frequently-used ones. 



i.e., (double-scroll) Lorenz, (single-scroll) Rossler and (double-scroll) Chua at- 
tractors. In this letter different conditioning methods are discussed to show 
the great ffexibility of our method. In doing so, we have partially revealed the 
theory hiding behind the nearly-stable short-time period of many 3-D chaotic 

attractors. 

When two different attractors (or for the same event, the same attractor with 
two different parameter sets) are switched to encode a binary message, a spec- 
trogram might reveal the evolution of the energy distribution in spectral-time 
space from the transmitted signal. If the two chaotic attractors have some 
detectable difference in their spectrums, then the spectrogram can be used to 
detect this difference and thus unmask the scrambled binary information [25]. 
This method can be used in chaotic masking too, but does not work for phase 
synchronization. 

In the same way that changing the parameter in an attractor affects its fre- 
quency, it is reasonable to assume that also small changes in its amplitude 
will take place when shifting from one set of parameters to the other. This 
approach was used in [30], squaring the ciphertext signal and low-pass filtering 
it, so that the enveloping waveform, i.e., the binary modulating signal, was 
finally extracted. This method performs well when the difference in amplitude 
of the two bits in the modulating square waveform is big enough to be observed 
after the filtering. Obviously, it does not work for phase synchronization where 
the amplitude does not change. 

The generalized synchronization attack, first introduced by [26], assumes that 
the attacker knows the type of attractor used for the transmission and re- 
ception, but ignores the precise value of the parameters, which usually are 
considered to be the secret key of the cryptosystem. Using the concept of 
generalized synchronization (GS) defined in [31], the attacker's receiver uses 
a set of parameters which is completely different to the secret key and thus 
will never achieve synchronization. Nevertheless, by measuring the synchro- 
nization error over time, it is possible to detect the switching between the two 
attractors in the transmitter as a variation in the square error. This one is 
a very powerful technique when complete synchronization is used. It doesn't 
work for some other types of synchronization though. 



5 Conclusion 



A new cryptanalytic method to break parameter modulation based chaotic 
secure communication systems is presented. The method computes the short- 
time period of the ciphertext signal to detect slight variations in its frequency. 
For the method to work in a wide variety of modulation techniques and for 



different chaotic attractors, first the transmitted signal must be conditioned 
according to the structure of the underlying chaotic attractor used for the 
modulation. The letter describes the different conditioning processes required 
for different attractors and explains how to calculate the short-time period 
variation as a function of time of the conditioned signal. The signal processing 
required to eventually recover the original plaintext is explained. Finally, this 
method is compared to some other cryptanalytic techniques used in literature. 
It is shown that it is the first method apart from brute force which recovers 
the signal when phase synchronization is used. Some important facts about 
the nearly-stable short-time period of many 3-D chaotic attractors are also 
revealed by this work. 
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Figures and captions 




Fig. 1. The Lorenz attractor: a) xi — X3 projection; b) |xi| — X3 projection. 
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Fig. 2. Breaking classical parameter modulation using Lorenz attractor: a) original 
binary information signal, i{t); b) the transmitted state variable signal or ciphertext, 
xi{t); c) the short-time period signal, p{t); d) the positive value after removing DC 
component, p*{t); e) the low-pass filtered signal, fp*{t), revealing the modulation 
signal; f) recovered message signal, i*{t), after adequate detection. 
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Fig. 3. The well-known Rossler attractor: a) xi — yi projection; b) xi — z\ projection. 
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Fig. 4. Breaking phase synchronization using Rossler attractor: a) original binary 
information signal, i(i); b) the transmitted phase signal or ciphertext, (j)m{t)', c) the 
short-time period signal, p{t); d) the positive value after removing DC component, 
p*{t); e) recovered message signal, i*{t), after adequate detection. 
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Fig. 5. Breaking adaptive observer-based chaos synchronization using Chua attrac- 
tor: a) original binary information signal, i{t); h) the transmitted state variable 
signal or ciphertext, X3{t); c) the short-time period signal, p{t); d) the clipped sig- 
nal, p*{t), after removing singular peaks and DC component; e) the low-pass filtered 
signal, fp*{t), revealing the modulation signal; f) recovered message signal, i*(t), 
after adequate detection. 
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